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ABSTRACT 


» 


Computer  communications  are  becoming  increasingly  important  in  tne 
command,  control  and  communications  community.  Using  models  to  verify 
that  the  communication  protocols  used  by  these  computers  function 
properly  Is  a  time  and  effort  saving  device.  A  model  called  systems  of 
communicating  machines  combines  two  types  of  models,  finite  state 
machines  and  programming  language  models. 

In  this  thesis  systems  of  communicating  machines  is  used  to  specify  and 
analyze  the  IEEE  token  ring  protocol.  The  specification  makes  several 
simplifying  assumptions  about  the  protocol  in  order  to  make  the  ahalysis 
manageable.  These  simplifications  Include  limiting  the  network  to  two 
machines  and  shortening  the  frame  and  token  formats  to  reduce  the  number 
of  transmissions  on  the  network.  This  thesis  exercises  the  resulting 
specification  to  both  verify  that  the  protocol  won’t  fail  and  that  the 
specification  is  correct.  The  type  of  analysis  used  in  this  thesis  is  called  a 
reachability  analysis  or  a  system  state  analysis 

This  specification  and  analysis  of  the  IEEE  token  ring  protocol  proves  the 
protocol  won't  fail  for  a  two  machine  network.  This  thesis  also  proves  that 
the  specification  of  the  protocol  is  correct. 
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I.  INTRODUCTION 


A.  FORMAL  MODELING  OF  PROTOCOLS 

A  protocol  Is  a  set  of  rules  and  procedures  used  by  different  computers 
to  communicate  with  each  other.  The  protocols  are  Implemented  on  the 
computers  m  a  network  as  a  set  of  common  software.  The  purpose  of  a 
protocol  Is  to  establish  a  common  set  of  rules  and  procedures  to  allow 
different  computers  to  communicate.  Protocols  are  designed  In  layers,  with 
the  bottom  layer  being  the  interface  with  the  communications  medium  and 
the  top  layer  being  the  user  application.  The  number  of  layers  in  between 
depends  on  the  design  of  a  particular  system  and  which  standard  (If  any)  It 
follows. 

Each  layer  of  a  communications  protocol  is  designed  to  accomplish 
specific  tasks.  These  tasks  range  from  transmitting  bits  on  the 
communication  medium  and  reading  bits  from  the  medium  to  breaking  files 
destined  for  transfer  Into  packets  and  formatting  those  packets  into  frames 
that  will  be  recognizable  to  the  receiving  machine.  The  design  and 
implementation  of  a  large  protocol  suite  can  be  a  very  complicated  task;  it 
is  not  always  easy  to  understand  how  all  the  pieces  fit  together.  This 
complexity  makes  the  testing  and  verification  of  a  new  protocol  difficult. 
Testing  a  new  protocol  design  can  also  be  very  expensive;  not  only  is 
computer  time  a  valuable  resource,  but  many  potential  failures  can  take 
days  to  occur. 

Due  to  the  complexity  and  expense  of  testing  new  protocols,  systems 
designers  turned  to  modeling  the  software  to  find  potential  problems.  Many 


methods  for  modeling  computer  networks  have  been  developed:  Petri  nets, 
finite  state  machines,  programming  languages  and  hybrid  models.  Analysts 
use  one  or  more  of  these  models  to  specify  a  network  as  completely  as 
possible  and  then  run  the  model  to  test  for  possible  system  failures.  These 
failures  fall  Into  two  general  categories:  safety  errors  and  progress  errors. 
A  safety  error  occurs  when  the  protocol  falls  and  communication  ceases. 
Examples  of  safety  errors  include  deadlock  (a  system  state  from  which 
there  Is  no  exit)  and  llvelock  (an  Infinite  loop  of  a  small  number  of  system 
states).  A  progress  error  occurs  when  one  or  more  stations  in  the  network 
Is  unable  to  participate  In  the  communication  activity.  An  example  of  a 
progress  error  is  starvation  (where  one  or  more  stations  in  the  network 
never  get  a  chance  to  transmit  information).  These  models  can  help  identify 
these  potential  failure  conditions.  They  can  also  be  used  to  prove  the 
functional  correctness  of  a  particular  protocol,  assuming  the  model  is 
accurate.  For  these  reasons,  much  time  and  research  effort  has  gone  into 
the  search  for  new,  easier  to  use  models. 

B.  THE  TOKEN  RING  PROTOCOL 

A  local  area  network  (LAN)  Is  designed  to  connect  computers  in  a  small 
geographic  area,  such  as  an  office,  building,  or  several  buildings.  These 
networks  typically  use  microcomputers  as  workstations  to  share  a 
minicomputer  or  mainframe  among  many  users.  The  microcomputers  also 
stand  alone  and  enable  their  users  to  perform  other  computing  functions 
without  tying  up  the  main  computer.  A  typical  use  would  be  to  run  user 
applications  requiring  a  lot  of  computational  power  and  speed  on  the 
mainframe  computer  and  use  the  microcomputers  for  electronic  mail. 
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running  programs  remotely  on  the  mainframe,  etc,  LANs  also  allow  the 

users  to  share  other  expensive  resources,  such  as  a  graphics  printer. 

The  token  ring  network  Is  a  LAN,  The  computers  on  the  network  are 
connected  serlaNy  In  a  ring  configuration.  Each  computer  has  an  upstream 
neighbor  and  a  downstream  neighbor.  (See  Figure  1),  Data  flows  around  the 
ring  in  one  direction  only.  A  computer  receives  data  from  its  upstream 
neighbor  and  forwards  data  to  its  downstream  neighbor.  At  any 
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Figure  I:  Token  Ring  Configuration 

one  time,  only  one  computer  Is  transmitting  new  data  on  the  ring.  All  other 
computers  are  only  repeating  the  transmitted  data  (and  some  are  copying 
the  data  into  buffers  as  they  repeat  it  on  the  ring), 

A  unique  pattern  of  bits,  called  a  token,  is  continuously  circulated  on  the 
ring.  When  a  station  wants  to  transmit.  It  must  wait  until  it  gets  the  token. 
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When  It  gets  the  token,  it  removes  the  token  from  the  ring  (so  no  one  else 
can  transmit)  and  transmits  Its  data.  Every  station  on  the  ring  has  a  timer 
to  prevent  It  from  holding  the  token  too  long  (and  thus  monopolizing  the 
ring).  When  a  station  has  completed  transmitting,  It  waits  for  the  message 
to  return  and  then  removes  it.  The  station  then  generates  and  transmits  a 
new  token  on  the  ring.  In  this  manner,  the  token  propagates  around  the  ring 
and  every  station  gets  a  chance  to  transmit  eventually. 

In  1985,  the  Institute  of  Electrical  and  Electronic  Engineers  (IEEE)  and 
the  American  National  Standards  Institute  (ANSI)  issued  the  802  group  of 
standards.  These  standards  defined  the  requirements  for  three  types  of 
LANs;  the  Carrier  Sense  Multiple  Access  with  Collision  Detect  (CSMA/CD), 
the  token  passing  Pus,  and  the  token  ring.  The  purpose  of  these  standards  Is 
to  ensure  uniformity  among  various  LANs  of  the  same  type  and  allow  users 
to  buy  equipment  from  different  vendors  and  know  It  will  follow  the  rules. 
These  standards  will  also  make  it  possible  to  connect  different  networks  of 
the  same  type  with  a  minimum  amount  of  effort.  The  standard  for  the 
physical  and  medium  access  control  layers  of  the  token  ring  network,  which 
is  the  basis  for  this  thesis.  Is  ANSI/IEEE  Standard  802.5-1985. 

C.  SYSTEMS  OF  COMMUNICATING  MACHINES 

One  model  used  to  specify  and  analyze  communication  protocols  Is 
called  systems  of  communicating  machines.  This  model  has  been  used  to 
specify  several  types  of  network  protocols,  such  as  CSMA/CD,  High-Level 
Data  Link  Control  (HDLC)  and  various  routing  protocols.  It  also  has  been 
used  to  specify  a  simplified  version  of  the  token  ring  protocol.  Section  II 
contains  a  detailed  description  of  this  model  and  the  simplifying 
assumptions  that  were  used  to  apply  It  to  the  token  ring  network. 
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Systems  of  communicating  machines  uses  a  combination  of  finite  state 
machines  and  variables  to  model  the  token  ring  protocol.  Each 
communicating  machine  is  in  one  of  several  possible  states  and  has  local 
variables.  In  any  particular  state,  one  or  more  actions  Is  possible.  These 
actions  may  or  may  not  lead  to  a  state  transition,  and  they  may  or  may  not 
change  the  values  of  some  variables.  Which  actions  are  allowed  depends  on 
the  values  of  the  local  and  global  variables  and  the  current  state  of  the 
communicating  machine.  All  transitions  and  actions  are  Instantaneous; 
once  a  transition  Is  enabled,  It  may  occur  at  any  time.  Communication 
between  machines  Is  accomplished  through  shared  variables.  Machines  read 
and  write  these  shared  variables  to  communicate.  Each  communicating 
machine  will  have  its  own  local  state,  the  set  of  all  local  states  in  a 
network  is  either  a  system  or  a  global  state. 
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II.  THE  SYSTEMS  OF  COMMUNICATING  MACHINES  MODEL 


This  chapter  formally  defines  the  systems  of  communicating  machines 
model  used  to  specify  communication  protocols.  The  first  two  sections  of 
this  chapter  briefly  describe  the  two  modeling  techniques,  finite  state 
machines  and  programming  language  models,  which  form  the  basis  for  the 
systems  of  communicating  machines  model.  The  third  section  gives  the 
formal  definition  of  the  general  model,  the  adaptation  of  this  model  used  to 
specify  the  token  ring  protocol  will  be  described  in  Chapter  IV, 

A.  COMMUNICATING  FINITE  STATE  MACHINES 

One  method  of  modelling  communication  protocols  is  with 
communicating  finite  state  machines.  In  this  model,  each  process  is 
modelled  as  a  finite  state  machine  and  implicit  queues  are  used  for 
communication.  Global  states  are  used  to  define  every  possible  condition  of 
the  network.  A  global  state  consists  of  the  state  of  every  process  :n  the 
network  and  the  contents  of  the  queues.  Transitions  are  enabled  by  various 
combinations  of  the  contents  of  the  queues,  and  thus  machines  in  the 
network  transition  from  state  to  state,,  possibly  changing  the  contents  of 
the  queues  when  they  transition. 

Communicating  finite  stale  machines  are  primarily  used  to  perform  a 
reachability  analysis.  This  analysis  consists  of  exercising  the  model  until 
every  possible  state  has  been  generated  from  the  starting  state.  This  type 
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of  analysis  is  useful  for  predicting  deadlocks  in  the  network  and 

documenting  the  events  leading  to  a  deadlock. 

The  chief  disadvantage  of  using  communicating  finite  state  machines  for 
this  analysis  is  the  so-called  “state  explosion".  Even  if  the  queue  lengths 
are  finite  (which  is  not  required  in  the  pure  finite  state  machine  model), 
modern  protocols  are  so  complex  that  the  number  of  states  generated  with 
this  model  can  be  unmanageable.  (Ref.  i] 


B.  PROGRAMMING  LANGUAGE  MODELS 

Programming  language  models  of  communication  protocols  have  the 
advantage  of  being  more  flexible  and  robust  than  finite  state  machines. 
However,  programming  language  models  are  also  much  more  complex  than 
finite  state  machines.  Several  programming  languages  have  been  developed 
or  adapted  for  the  purpose  of  modelling  protocols  These  languages  include 
C5P,  Ada,  and  LOTOS.  While  each  language  has  features  to  aid  in  this 
analysis,  the  programming  task  can  be  very  formidable  if  the  protocol  to  be 
modelled  is  large  and  complex.  (Ref.  1] 

C.  SYSTEMS  OF  COMMUNICATING  MACHINES 

The  systems  of  communicating  machines  model  is  an  attempt  to  combine 
the  best  features  of  the  finite  state  machine  model  with  some  features 
from  the  programming  language  model.  The  resulting  model  uses  finite 
state  machines,  but  it  uses  local  variables  to  reduce  the  number  of  machine 
states.  It  also  uses  shared  variables  instead  of  queues  for  communicating. 
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The  following  formal  definition  of  systems  of  communicating  macmnes 
is  quoted  from  [Ref,  2]  and  is  reprinted  here  for  the  reader's  convenience. 

A  system  of  communicating  machines  is  an  ordered  pair 
C  » (M,V),  where 

M-  {m^.  m^ 

is  a  finite  set  of  machines,  and 

V  =  (V,,  v,, i/p 

is  a  finite  set  of  shared  variables,  with  two  designated  subsets  Rj  and 
specified  for  each  machine  m^.  The  subset  of  V  is  called  the  set  of  read 
access  variables  for  machine  m.,  and  the  subset  the  set  of  write  access 
variables  for  m^. 

Each  machine  M  is  defined  by  a  tuple  iSj,  s,  i N.,  r^),  where 

(1)  5^  Is  a  finite  set  of  states; 

(2)  s  c  5^  Is  a  designated  state  called  the  initial  state  of  m,, 

(3)  is  a  finite  set  of  local  variables, 

(4)  is  a  finite  set  of  names,  each  of  which  is  associated  with  a 
unique  pair  (p,  a),  where  p  is  a  predicate  on  the  variables  of  U  R^, 
and  a  is  an  action  on  the  variables  of  U  R-  U  w..  Specifically,  an 
action  is  a  partial  function 

3 

from  the  values  contained  in  the  local  variables  and  read  access 
variables  to  the  values  of  the  local  variables  and  write  access 
variables. 

(5)  Tj :  X  a'.  — >  5^.  is  a  transition  function,  which  is  a  partial 
function  from  the  states  and  names  of  to  the  states  of  m^. 
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Machines  model  the  entities,  which  in  a  protocol  system  are  processes 
and  channels.  The  shared  variables  are  the  means  of  communication 

between  the  machines.  Intuitively,  and  are  the  subsets  of  V  to  which 

has  read  and  write  access,  respectively.  A  machine  is  allowed  to  make  a 

transition  from  one  state  to  another  when  the  predicate  associated  with  the 
name  for  that  transition  is  true.  Upon  taking  the  transition,  the  action 
associated  with  that  name  is  executed.  The  action  changes  the  values  of 
local  and/or  shared  variables,  thus  allowing  other  predicates  to  become 
true. 

The  set  L.  of  local  variables  specifies  a  name  and  a  range  for  each.  The 

range  must  be  a  finite  or  countable  set  of  values. 

A  system  state  tuple  is  a  tuple  of  all  machine  states.  Tnat  is,  if  (M,  V) 

is  a  system  of  n  communicating  machines,  and  s^,  for  I  <  /  <  /),  is  the  state 

of  machine  m^,  then  the  />-tuple  (s^.  . s^)  is  the  system  state  tuple  of 

(M,  V).  A  system  state  is  a  system  state  tuple,  plus  the  outgoing 
transitions  which  are  enabled.  That  is,  two  system  states  are  equivalent  if 
every  machine  is  in  the  same  state,  and  the  same  outgoing  transitions  are 
enabled.  The  initial  system  state  is  the  system  state  such  that  every 
machine  is  in  its  initial  state,  and  the  outgoing  transitions  are  the  same  as 
in  the  initial  global  state. 

The  global  state  of  a  system  consists  of  the  system  state,  plus  the 
values  of  all  variables,  both  local  and  shared.  It  may  be  written  as  a  larger 
tuple,  combining  the  system  state  with  the  values  of  the  variables.  The 
initial  global  state  is  the  initial  system  state,  with  the  additional 
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requirement  that  all  variables  have  their  Initial  values.  A  global  state 
corresponds  to  a  system  state  If  every  machine  Is  In  the  same  state,  and  the 
same  outgoing  transitions  are  enabled.  That  Is,  a  global  state  consists  of  a 
tuple  of  machine  states,  plus  the  values  of  all  variables.  A  system  state 
with  the  same  tuple  of  machine  states  as  the  global  state  and  the  same 
enabled  outgoing  transitions  Is  the  corresponding  system  state. 

Let  i(s^,  n)  =  be  a  transition  which  Is  defined  on  machine  m.. 

Transition  1 1s  enabled  If  the  enabling  predicate  p,  associated  with  name  n, 
Is  true.  Transition  r  may  be  executed  whenever  Is  In  state  Sj  and  the 

predicate  p  is  true  (enabled).  The  execution  of  i  Is  an  atomic  action,  in 
which  both  the  state  change  and  the  action  a  associated  with  n  occur 
simultaneously. 

Note  that  If  the  values  of  all  variables  are  restricted  to  some  finite 
range,  then  the  model  can  theoretically  be  reduced  to  a  simple  finite  state 
machine.  Otherwise,  an  infinite  number  of  global  states  are  possible. 
However,  even  If  the  number  of  global  states  Is  Infinite,  the  number  of 
system  states  Is  finite,  because  of  the  fInIteness  of  each  machine.  This 
may  allow  a  reachability  analysis  on  the  system  states,  when  a  reachability 
analysis  on  the  global  states  Is  Infinite.  Even  when  the  values  of  all 
variables  are  of  a  finite  range,  the  number  of  global  states  In  the  equivalent 
F5M  system  may  be  so  large  as  to  be  Intractable.  [Ref.  2] 
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III.  THE  IEEE  TOKEN  RING  PROTOCOL 


This  chapter  gives  a  brief  overview  of  how  a  token  ring  LAN  operates. 
The  discussion  is  based  on  [Ref.  3]  and  therefore  does  not  pertain  to  any 
particular  implementation  of  the  token  ring  protocol.  Section  A  explains 
the  physical  layout  of  the  network.  Section  B  describes  the  formats  of  the 
frames  and  tokens  that  are  circulated  on  the  ring.  Section  C  concludes  this 
chapter  with  a  description  of  how  the  token  ring  operates.  For  a  more 
detailed  explanation  of  the  token  ring  protocol,  see  [Ref.  3]. 


A.  TOPOLOGY 

A  token  ring  LAN  is  configured  in  a  ring.  Transmission  is  point  to  point, 
in  one  direction  only.  Most  token  rings  use  centrally  located  switching 
centers  to  accomplish  the  ring  connections,  and  each  station  on  the  ring  has 
its  own  cable  connection  to  the  switching  center.  When  a  particular  station 
wants  to  connect  to  the  ring,  it  sends  a  signal  to  the  switching  center.  The 
switching  center  activates  a  relay  that  inserts  the  station  into  the  ring,  as 
long  as  the  signal  from  the  station  is  present,  the  relay  remains  energized 
and  the  station  is  connected  to  the  ring.  When  an  error  is  detected  by  either 
the  switching  center  itself  or  the  station,  the  relay  is  de-energized  and  the 
station  is  placed  in  the  bypass  mode.  This  scheme  is  very  flexible,  as  long 
as  there  are  connections  available  in  the  switching  center,  new  stations  can 
be  aoded  to  the  ring.  The  switching  centers  can  also  be  connected  to  each 
other,  a  'owing  more  room  for  expansion.  The  maximum  size  of  a  token  ring 


network  Is  250  stations,  which  Is  determined  by  timing  and  data  rate 
considerations  beyond  the  scope  of  this  thesis, 

B.  FORMATS 

The  token  ring  network  uses  a  form  of  encoding  known  as  differential 
Manchester.  This  encoding  scheme  allows  timing  Information  to  be  Implicit 
In  the  data  signal.  It  also  allows  two  symbols  to  be  defined  which  are  not 
data  symbols.  These  unique  symbols,  called  J  and  K,  are  used  in  both  the 
token  and  the  frame  starting  and  ending  delimiters.  If  these  unique  symbols 
occur  anywhere  else  In  a  frame,  an  error  has  occurred  and  the  network 
accomplishes  recovery  procedures. 

The  token  format  Is 

[SD,  AC,  ED]. 

The  frame  format  Is 

[SD,  AC,  FC,  DA,  SA,  INFO,  FCS,  ED,  FSl. 

SD  Is  the  starting  delimiter  and  consists  of  J,  K,  and  0  symbols.  AC  Is  the 
access  control  field.  A  token  bit  in  this  field  lets  a  receiving  station  know 
If  it  is  processing  a  token  or  a  frame;  If  It  is  a  token,  the  receiving  station 
may  change  the  token  bit  to  denote  a  token  and  begin  transmitting  its 
messages.  The  ED  field  Is  the  ending  delimiter  and  consists  of  J,  K,  and  l 
symbols.  The  FC  field  in  a  frame  is  the  frame  control  field  and  identifies 
the  type  of  frame.  The  DA  and  SA  fields  are  the  destination  and  source 
addresses  for  this  frame.  The  INFO  field  Is  the  Information  field  and  is 
optional,  i.e.,  a  control  frame  does  not  need  to  contain  an  information  field, 
but  a  data  message  will  obviously  contain  Information.  The  FCS  field  is  the 
frame  check  sequence  used  for  error  detection.  The  FS  field  Is  the  frame 
status  field  used  by  the  receiver  to  acknowledge  reception  of  a  message. 


For  a  more  detailed  explanation  of  tnese  fields  and  their  formats, 

see  [Ref.  3], 

C.  OPERATION 

When  a  station  on  the  ring  wants  to  transmit  a  frame,  It  must  first  seize 
the  token.  When  the  station  detects  a  usable  token,  l.e.,  a  token  with  a 
priority  that  is  equal  to  or  lower  than  the  priority  of  the  frame  the  station 
wants  to  transmit,  U  sets  the  token  bit  to  Indicate  a  frame  is  next.  Setting 
the  token  bit  changes  the  token  to  a  frame;  the  station  has  now  "seized"  the 
token.  Now  no  other  station  can  transmit  new  information  onto  the  ring. 
The  station  proceeds  to  transmit  its  frame(s)  until  it  is  done  or  its 
maximum  allowable  time  to  hold  the  token  expires  (this  time  limit  is 
determined  by  the  network  managers).  The  station  then  transmits  an 
end-of-frame  sequence  and  transmits  fill  (all  zeroes)  while  It  waits  for  the 
last  frame  transmitted  to  go  full  cycle  and  return.  When  this  last  frame  Is 
received,  the  station  generates  a  new  token  and  transmits  it  on  the  ring, 
allowing  the  next  station  an  opportunity  to  transmit. 

Every  station  is  responsible  for  removing  all  messages  It  originates  from 
the  ring.  This  is  necessary  to  ensure  old  frames  do  not  circulate  forever  on 
the  ring.  While  a  station  is  waiting  for  Its  last  transmitted  frame  to 
return,  it  is  also  stripping  all  its  previous  messages  from  the  ring  and 
replacing  them  with  fill.  The  last  field  In  a  frame  is  used  by  the 
destination  to  acknowledge  receipt  of  a  frame.  Two  bits  are  used  to 
indicate  whether  a  station  recognized  its  own  address  in  the  frame  header 
and  whether  or  not  that  station  copied  the  frame  into  its  buffers.  These 
bits  let  the  sending  station  know  the  result  of  its  transmission. 
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On  every  token  ring,  one  station  assumes  the  role  of  active  monitor; 
every  other  station  on  the  ring  Is  automatically  a  standby  monitor.  The 
active  monitor  is  responsible  for  maintaining  the  ring  In  proper  operating 
condition.  It  checks  and  corrects  the  signal  timing  to  keep  all  stations 
synchronized.  The  active  monitor  checks  to  see  that  a  token  is  always 
present  on  the  ring.  It  monitors  frames  that  pass  to  make  sure  they  are 
new,  not  leftover  frames  that  some  station  didn't  remove.  The  active 
monitor  also  lets  the  other  stations  on  the  ring  know  that  an  active  monitor 
is  present  by  broadcasting  a  special  control  frame  periodically.  The  active 
monitor  uses  timers  to  monitor  these  conditions;  the  timers  are  reset  when 
certain  conditions  are  met  (such  as  a  valid  token  going  by).  If  an  error  is 
detected,  the  active  monitor  takes  corrective  actions.  Every  station  on  the 
ring  that  Is  not  the  active  monitor  is  a  standby  monitor.  If  a  standby 
monitor  believes  there  is  no  active  monitor  present  on  the  ring  (because  of 
the  absence  of  the  control  frames).  It  will  assume  the  role  of  active 
monitor,  in  this  way,  the  token  ring  network  Is  self-monitoring.  For  a  more 
detailed  description  of  the  active  monitor  and  its  functions,  see  [Ref.  3]. 
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IV.  SPECIFICATION  OF  THE  TOKEN  RING  PROTOCOL 


This  chapter  explains  how  systems  of  communicating  machines  can  be 
used  to  specify  and  analyze  the  token  ring  protocol  that  is  stated  In  [Ref.  31. 
The  general  model  is  explained  in  Chapter  II  of  this  thesis,  this  chapter 
describes  the  specific  adaptation  of  the  model  to  specify  the  token  ring 
protocol.  Section  A  explains  the  assumptions  used  to  simplify  the  protocol 
to  make  the  model  more  manageable.  Section  B  describes  the  formats  of  the 
tokens  and  frames  which  are  transmitted  by  the  stations  In  the  model. 
Section  C  explains  how  the  model  is  structured  and  how  it  works.  The 
explanation  Includes  a  picture  of  the  finite  state  machine  part  of  the  model, 
a  description  of  the  local  and  shared  variables  used  by  the  communicating 
machines,  and  a  transition  name/action  table  to  describe  the  various  states 
and  transitions  between  them. 

A.  SIMPLIFICATIONS  OF  THE  PROTOCOL 

The  model  systems  of  communicating  machines  can  be  used  to  model  the 
token  ring  protocol  In  [Ref.  2],  this  model  has  been  adapted  to  specify  the 
token  ring  protocol.  In  order  to  keep  the  specification  down  to  a  reasonable 
size,  several  simplifications  were  made  to  the  protocol.  These 
simplifications  were,  (from  [Ref.2]) 

1.  No  attempt  Is  made  to  model  the  timing.  It  is  assumed  that 
transitions  which  are  enabled  will  occur,  eventually. 
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2.  The  Input  and  output  buffers  (that  is,  the  shared  variables)  of  the 
entire  network  have  the  capacity  to  hold  the  largest  frame  transmitted  on 
the  ring.  This  means  that  when  a  station  transmits  a  frame,  it  may 
transmit  the  entire  message  before  checking  Its  Input  buffers  for  the  first 
part  of  the  message. 

3.  Only  one  frame  Is  transmitted  before  giving  up  the  token.  In  the 
IEEE  standard,  a  station  may  send  as  many  frames  as  It  can  before  the 
expiration  of  THT,  the  token  holding  timer.  For  purposes  of  brevity.  In  this 
section  the  limit  is  one  message. 

4.  No  errors  In  transmission.  In  the  standard,  much  of  the  complexity 
of  the  protocol  goes  Into  handling  errors. 

5.  All  messages  have  equal  priority.  The  standard  protocol  allows 
eight  different  priority  levels,  with  an  elaborate  procedure  for  raising  and 
lowering  them. 

6.  No  active  or  standby  monitors.  In  the  standard  token  ring,  every 
station  contains  a  monitor  for  various  error  checking.  [Ref.  2] 

Most  of  these  simplifying  assumptions  could  be  relaxed,  if  a  more 
realistic  model  Is  desired.  However,  none  of  these  assumptions 
significantly  changes  the  function  of  the  protocol  and  the  model  is  easier  to 
analyze  using  them. 

B.  MESSAGES  AND  FORMATS 

In  IEEE  Standard  802.5-1985,  four  different  types  of  units  are 
transmitted  on  the  ring:  binary  0,  binary  1,  non-data  symbol  J  and  non-data 
symbol  K.  In  the  model  used  to  specify  the  token  ring  protocol,  the  units 
transmitted  on  the  ring  are  characters.  This  means  that  each  station  on  the 
ring  will  transmit  and  receive  a  sequence  of  characters  rather  than 
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individual  Dits  The  mode)  uses  two  special  characters,  ‘J  and  'K',  to  denote 
the  beginning  and  end  of  a  message,  respectively.  These  special  characters 
will  not  appear  in  the  middle  of  a  message.  Two  types  of  messages  will  be 
transmitted  in  this  model;  the  token  and  the  frame.  The  token  shall  have 
the  format 

IJ,  T,  K] 

and  the  frame  shall  have  the  format 

[J,  F,  DA,  5A,  INFO,  K,  C], 

where  the  DA  and  SA  fields  are  both  integers  indicating  the  destination  and 
source  addresses  of  the  frame,  INFO  is  the  data  being  transmitted  (and  thus 
will  be  a  sequence  of  characters  generated  by  a  higher  level  protocol),  and 
the  C  field  is  one  bit.  The  C  bit  is  the  "frame  copied"  bit  and  lets  the  sender 
know  whether  or  not  the  INFO  was  copied  by  the  destination  station.  [Ref.  2] 

The  first  character  of  any  message  is  a  J,  followed  by  either  a  T  or  an  F, 
indicating  whether  the  message  is  a  token  or  a  frame.  If  the  message  is  a 
token,  the  next  character  is  a  K,  ending  the  message.  If  the  message  is  a 
frame,  the  next  two  characters  are  integers  indicating  the  destination  and 
sending  stations,  followed  by  a  sequence  of  characters  which  are  the  data 
being  transmitted  The  message  ends  with  a  K  and  the  C  bit.  The  receiver 
uses  the  C  bit  to  indicate  reception  of  the  message  to  the  sender.  [Ref.  2] 

C.  PROTOCOL  SPECIFICATION 

To  specify  the  token  ring  protocol,  a  state  diagram,  an  action  table  and  a 
picture  of  the  shared  and  local  variables  are  used.  Figure  2  depicts  the 
state  machine  diagram  of  the  model.  Table  1  contains  the  action  table,  and 
Figure  3  shows  the  shared  and  local  variables.  Table  2  contains  the 
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Figure  2;  State  Diagram  for  the  Token  Ring  Protocol 

transition  names  and  their  meanings;  this  table  Is  not  part  of  the 
specification  but  Is  Included  to  aid  the  understanding  of  the 
transitions.  [Ref.  2] 

Each  edge  of  the  state  diagram  Is  labeled  with  a  transition  name.  The 
enabling  predicate  and  corresponding  action  which  accompany  the  transition 
appear  In  Table  1,  the  action  table.  Figure  3  contains  the  shared  and  local 
variables  associated  with  each  station  on  the  ring.  The  shared  variables  are 
Inbuf  and  outbuf,  while  PDU  and  msgbuf  are  local  to  each  station.  The  Index 
variables  (o,  1,  m,  r,  p)  are  also  local  variables  In  the  starting  state  (0  in 
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Figure  2),  all  buffer  variables  (Inbuf,  outbuf,  PDU  and  msgbuf)  are  empty, 
with  exactly  one  exception,  and  all  index  variables  are  equal  to  1.  The 
exception  to  the  empty  buffers  is  one  shared  variable  on  the  ring  contains 
the  token,  [J,  T,  K],  The  local  buffer  variable  PDU  is  used  by  the  station  to 
queue  messages  waiting  for  transmission  on  the  ring.  A  PDU  is  a  protocol 
data  unit,  the  data  block  from  the  higher  level  protocol  on  the  station.  The 
msgbuf  local  variable  is  used  to  queue  Incoming  messages  from  the  ring 
until  a  higher  level  protocol  is  ready  to  accept  them.  [Ref.  2] 

TABLE  1:  ACTION  TABLE  FOR  THE  TOKEN  RING  PROTOCOL 
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The  state  diagram  of  Figure  2  for  each  machine  on  the  ring  can  be  viewed 
as  two  distinct  parts.  In  the  left  side,  states  0-4,  the  station  has  no  PDU 


Figure  3:  Local  and  Shared  Variables  of  the  Token  Ring 


queued  for  transmission,  while  In  the  right  side,  states  5-15,  the  station 
has  a  PDU  ready  for  transmission.  A  PDU  Is  queued  by  a  higher  level 
protocol,  the  PDU  Is  placed  in  the  next  available  slot  In  the  PDU  buffer  to 
await  transmission.  The  enabling  predicate  for  the  PDU-G  transition  from 
state  0  to  state  5  reflects  the  result  of  this  action  by  the  higher  level 
protocol.  A  station  In  state  0  Is  just  repeating  incoming  characters  to  Its 
downstream  neighbor. 

After  a  PDU  Is  queued  and  the  station  has  taken  the  transition  to  state  5, 
the  station  continues  to  repeat  Incoming  characters  until  It  can  capture  the 
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token  and  transmit  the  PDU.  in  both  parts  of  the  state  diagram,  the  station 
must  copy  any  messages  addressed  to  this  station  into  Its  msgbuf,  unless 
the  msgbuf  Is  full.  If  the  msgbuf  Is  full,  the  higher  level  protocol  has  not 
yet  read  the  last  message  received,  and  the  station  takes  the  no  transition. 

TABLE  2;  MEANINGS  OF  THE  TRANSITION  NAMES 
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This  means  the  station  does  not  receive  the  message,  the  sender  will  know 
because  the  C  bit  (the  frame  copied  field)  will  not  be  set.  (Ref.  21 

If  a  station  has  a  Pb’J  queued  and  it  captures  the  token,  the  station 
transitions  from  state  5  through  state  6  to  state  7  and  transmits  the  PDU 
After  transmitting  the  PDU,  the  station  transitions  to  state  8  and  then  to 
state  9  by  transmitting  the  'K'  character  and  the  C  bit  (0)  In  ate  9,  the 
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station  waits  for  the  return  of  Its  message  and  strips  It  off  the  ring.  When 
the  station  recognizes  Its  own  address  In  the  SA  field,  It  transitions  to 
state  10  and  transmits  a  new  token  on  the  rihg.  In  state  11,  the  station 
removes  the  remainder  of  Its  message  from  the  ring.  In  state  12,  the 
station  checks  the  frame  copied  bit,  the  C  field.  If  C  =  1,  the  destination 
station  copied  the  frame  and  this  station  can  clear  the  PDU  buffer  and 
return  to  state  0  via  the  OK  transition.  If  C  =  0,  the  destination  station  did 
not  copy  the  frame,  so  this  station  returns  to  state  5  to  retransmit  the  PDU 
(after  recapturing  the  token,  of  course).  [Ref.  2] 

In  the  predicate-action  table.  Table  I,  the  action  repeat  Is  the  basic  act 
of  retransmitting  (repeating)  the  Incoming  character  to  the  downstream 
station;  It  consists  of  the  three  statements 

outbuf(o)  <"  Inbufd);  inbuf(l)  <— 0;  1nc(o,  1). 

Increment  (Inc)  adds  one  to  each  of  Its  arguments  using  modulo  arithmetic 
to  simulate  a  circular  counter  (l.e..  If  an  argument  is  at  Its  maximum  value, 
it  is  reset  to  Its  minimum  value  when  It  is  incremented).  [Ref.  2] 
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V.  ANALYSIS  OF  THE  TOKEN  RING  PROTOCOL 


This  chapter  explains  the  results  of  using  the  specification  described  In 
Chapter  IV  to  analyze  the  token  ring  protocol.  Section  A  gives  the 
background  for  the  analysis  by  explaining  what  a  reachability  analysis  Is 
and  what  the  main  problems  associated  with  this  type  of  analysis  are. 
Section  B  explains  the  secondary  goal  of  this  type  of  analysis:  verifying  the 
model.  Section  B  also  describes  the  errors  discovered  In  the  specification 
of  the  token  ring  protocol.  Section  C  describes  what  the  results  of  the 
analysis  were.  The  table  Included  In  Section  C  contains  the  630  states  that 
were  generated  when  the  model  was  run. 


A.  TYPE  OF  ANALYSIS 

As  stated  in  Chapter  II,  a  system  state  for  the  Systems  of 
Communicating  nachines  model  Is  a  tuple  consisting  of  the  state  of  every 
machine  In  the  network,  plus  the  enabled  outgoing  transitions  for  each 
machine,  A  global  state  for  this  model  Is  a  tuple  consisting  of  the  state  of 
every  machine  plus  the  values  of  all  its  variables,  both  local  and  shared.  It 
is  possible  for  one  system  state  to  correspond  to  several  global  states; 
that  Is,  two  system  state  tuples  may  be  Identical  except  for  having 
different  outgoing  transitions  enabled  and  therefore  having  different  values 
In  one  or  more  variables. 

One  method  of  protocol  analysis  is  called  reachability  analysis.  Once  a 
specification  of  the  protocol  has  been  developed,  It  can  be  run  (either 
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manually  or  on  a  computer)  until  all  the  possible  system  states  have  been 
generated,  or  reached.  These  states  can  then  be  studied  to  detect  possible 
protocol  failures.  A  reachability  analysis  is  mostly  used  to  detect  deadlock 
conditions.  A  deadlock  exists  when  the  system  reaches  a  state  from  which 
there  Is  no  exit;  all  communication  on  the  network  comes  to  a  halt.  Other 
failure  conditions  that  can  be  detected  with  a  reachability  analysis  include 
starvation  (one  or  more  machines  never  get  a  chance  to  transmit  on  the 
network)  and  llvelock  (the  network  gets  locked  Into  a  never-ending  cycle  of 
a  small  number  of  system  states). 

There  are  two  main  problems  with  this  type  of  analysis.  First  of  all,  it 
Is  undecldable  whether  the  analysis  will  ever  terminate.  This  means  that 
there  may  be  an  infinite  number  of  possible  states.  Secondly,  even  if  the 
anlaysis  does  terminate,  there  is  for  any  nontrivial  protocol  a  combinatorial 
explosion  of  states  Tnis  means  that  the  number  of  states  may  be  so  large 
that  even  an  automated  analysis  Is  impractical,  taking  days,  weeks  or  years 
of  computer  time. 

A  reachability  analysis  was  performed  on  the  system  states;  this  is 
called  system  state  analysis.  The  analysis  used  an  abbreviated  form  of  the 
global  states.  The  tuples  consisted  of  the  state  of  each  machine  and  the 
values  of  its  shared  variables,  local  variables  were  not  represented  in 
order  to  keep  the  size  of  the  tuples  small.  The  network  consisted  of  two 
machines;  It  is  left  to  further  research  to  expand  the  analysis  to  three  or 
more  machines.  The  results  of  this  analysis  are  contained  in  Part  C  of  this 
section.  A  total  of  630  states  were  generated  for  this  two-machine 
network,  and  no  errors  In  the  token  ring  protocol  were  discovered. 
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B.  VERIFYING  THE  MODEL 

A  secondary  goal  In  performing  a  reachability  analysis  is  to  verify  the 
proper  operation  of  the  model  of  the  protocol.  As  the  model  is  exercised  and 
i.ew  system  states  are  reached,  the  user  can  check  to  see  that  the 
transitions  occur  in  a  timely  and  logical  (consistent  with  the  actual 
protocol)  manner.  The  model  can  be  fine  tuned  to  correct  any  deficiencies. 
It  can  also  be  modified  to  simplify  the  analysis  or  to  bring  its  behavior 
closer  to  the  actual  protocol's  functioning. 

In  performing  a  reachability  analysis  with  systems  of  communicating 
machines,  three  errors  were  discovered  in  the  token  ring  specification. 
Correcting  these  errors  brought  the  specification's  behavior  in  line  with  the 
protocol's  function  and  also  helped  minimize  the  number  of  possible  states. 

In  the  original  specification,  the  enabling  predicate  for  the  no 
transistion  (see  Table  1)  did  not  include  inbuf(i)  =  0.  Not  including  this 
condition  meant  that  a  machine  in  states  2  or  13  could  transition  without 
having  received  the  address  of  the  frame.  The  intent  of  the  no  transition  is 
to  continue  repeating  if  either  the  frame  is  addressed  to  someone  else  or 
this  machine  does  not  have  room  in  its  buffer  for  the  frame.  Adding  the 
condition  inbuf(i)  =  0  forces  the  machine  to  check  the  address  and/or  its 
buffers  before  transitioning. 

The  second  error  in  the  original  specification  involved  the  Ack 
transition.  The  original  specification  listed  the  transition  as  always 
enabled;  a  machine  in  states  4  or  15  could  immediately  transition. 
Problems  arose  if  the  sender  had  not  taken  the  XEOF  transition  to  state  9 
yet  If  the  receiver  sent  an  Ack  and  entered  a  repeat  state,  followed  by  the 
sender  taking  the  XEOF  transition  and  transmitting  a  0,  the  receiver  would 
repeat  this  0  and  an  extra  character  would  be  in  the  queues  The  Ack 
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transition  was  intended  to  remove  this  0  from  the  system.  Changing  the 
enabling  predicate  for  Ack  to  Inbufd)  =  0  accomplishes  this  task. 

The  third  correction  to  the  original  specification  Involved  theXm/f 
transition.  The  Xmit  transition's  original  action  was: 

outbuf(o)  <—  PDLKr.p);  1nc(o,p). 

While  this  action  Is  technically  correct,  It  led  to  a  larger  number  of  states 
than  necessary;  I.e.,  every  machine  needed  to  take  the  Xmit  transition  three 
times  In  order  to  transmit  a  one-character  PDU.  Modifying  the  action  to; 

outbuf(o)  <"  PDLKr.p);  1nc(o,p) 

and  Changing  the  action  of  the  (preceding)  T2  transition  to; 

outbuf(o)  <—  F;  inbufd)  <—  0;  1nc(o,l), 
outbuf(o,  0+1)  <"  DA,  SA;  1nc(o) 

simplifies  this  transition  and  allows  the  sender  to  transmit  an  entire  PDU 
in  one  action. 


C.  RESULTS  OF  THE  ANALYSIS 

Table  3  (In  the  appendix)  contains  a  listing  of  all  the  states  generated 
with  a  two-machine  network  using  the  systems  of  communicating  machines 
model  to  specify  a  token  ring  network.  The  num  column  Is  a  reference 

number  for  each  abbreviated  global  state.  The  s  j  column  contains  the  state 
of  machine  1,  and  similarly  the  S2  column  contains  the  state  of  machine  2. 

The  Inbuf^  column  contains  the  contents  of  the  inbuf  shared  variable  for 
machine  1  (and  therefore,  for  this  two-machine  network,  the  contents  of 
the  outbuf  shared  variable  for  machine  2),  the  1nbuf2  column  is  the 
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contents  of  the  inbuf  shared  variable  for  machine  2  and  the  outbuf  shared 
variable  for  machine  1,  The  last  column  contains  tuples  made  up  of  a 
transition  name  and  a  num  reference  number.  The  group  of  tuples  represent 
all  possible  transitions  from  the  current  state,  the  num  reference  number 
for  each  transition  directs  the  reader  to  the  table  entry  for  the  new  system 
state  if  that  transition  is  taken.  The  superscripts  on  the  transition  name 
denote  the  number  of  the  machine  (1  or  2)  which  is  taking  that  particular 
transition;  superscripts  were  used  rather  than  subscripts  because  some 
transition  names  contain  subscripts  already. 
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VI.  CONCLUSIONS  AND  RECOMMENDATIONS 


This  thesis  used  the  systems  of  communicating  machines  model  to 
specify  the  IEEE  token  ring  protocol.  The  thesis  then  used  this  specification 
to  analyze  the  protocol.  The  purpose  of  this  analysis  Is  both  to  verify  the 
protocol  function?  properly  and  to  verify  the  correctness  of  the 
specification. 

The  analysis  in  Section  V  proves  that  the  token  ring  protocol  »wll1  not 
fail  In  a  two  machine  network.  No  states  were  generated  from  which  there 
is  no  transition  out;  therefore,  the  protocol  is  deadlock-free.  Also,  since 
the  token  passed  from  one  machine  to  the  other  with  no  problems, 
starvation  does  not  exist  in  a  network  which  properly  installs  the  token 
ring  standard.  A  close  examination  of  the  system  states  table  shows  that 
no  loops  exist,  either.  The  network  moves  from  state  to  state  smoothly,  and 
eventually  returns  to  its  starting  state  and  starts  the  communication 
process  all  over  again. 

The  analysis  in  Section  V  also  serves  to  validate  the  model  of  the  token 
ring  protocol.  Exhaustively  exercising  the  model  and  generating  every 
possible  state  proves  the  model  functions  properly.  This  model  can  be  used 
to  evaluate  other  token  ring  Implementations  to  test  for  failure  conditions 
and  to  test  how  well  they  conform  to  the  IEEE  standard. 

This  model  makes  several  simplifying  assumptions  about  the  token  ring 
protocol.  Now  that  this  version  of  the  model  has  been  verified,  future 
versions  may  relieve  one  or  more  of  those  simplifying  assumptions  In  order 
to  more  closely  model  the  behavior  of  a  token  ring  network.  The  model 
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could  be  modified  to  allow  a  station  to  transmit  more  than  one  frame  at  a 
time  when  it  has  the  token.  This  change  would  require  some  sort  of  timing 
mechanism  (such  as  another  shared  variable,  called  Clock)  in  order  to  model 
the  token  holding  timer.  Adding  timing  to  the  model  would  also  make  it 
more  realistic.  As  the  model  now  stands,  one  station  can  transmit  several 
characters  in  a  row  without  the  other  station  reacting.  In  a  real  network, 
both  stations  would  be  transmitting  alternately  (actually,  one  station  would 
be  transmitting  and  one  would  be  repeating).  With  timing  in  the  model,  the 
stations  would  have  to  take  turns  transmitting  on  the  ring. 

There  are  many  ways  to  add  to  the  model  to  make  it  more  closely 
resemble  the  actual  protocol.  However,  the  analyst  must  be  careful  when 
adding  complexity  to  the  model.  Adding  too  much  detail  can  make  the  model 
too  large  and  unwieldy  to  be  a  useful  analytical  tool.  If  the  model  yields  too 
many  possible  system  states,  it  will  be  too  difficult  to  interpret  the 
results  of  running  the  model. 

Future  research  may  want  to  add  detail  to  the  model  and  extend  these 
results  to  a  network  with  three  or  more  machines.  Extending  the  results  to 
a  network  of  n  machines  would  prove  the  protocol  won't  fail  under  any 
conditions  and  would  be  very  worthwhile. 
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